168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
Size

211KB
MD5

002cd40d89af9998c7c428ba43d1ee00
SHA1

a29a26db429dddcf4d5c4bc56589848e8e9896ea
SHA256

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92
SHA512

f84eb5fd58fdc3882dd918957ee2604cb12127480d0ae8095ca1e47c14b3e498ff3a33951c75db4824ab577a1d46a680f1bc8364524cfd601985bdb9dc15c127
SSDEEP

6144:UmKVGe1XIpQiU/ma3MB8hH2Tkp6bYnWcZVol0N5TzQ3:O71YpQiU/RcO1VQInVob

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1732 svchost.exe

pid	process
1732	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

pid	process
1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cf45a0e3 = "C:\\Windows\\apppatch\\svchost.exe"	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

Drops file in Program Files directory 18 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

description	ioc	process
File created	C:\Windows\apppatch\svchost.exe	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

Modifies registry class 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\MuiCache svchost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1732 svchost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

pid process

1740 168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\MuiCache	svchost.exe

pid	process
1732	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exesvchost.exe

description	pid	process
Token: SeSecurityPrivilege	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
Token: SeSecurityPrivilege	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
Token: SeSecurityPrivilege	1732	svchost.exe
Token: SeSecurityPrivilege	1732	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe

description	pid	process	target process
PID 1740 wrote to memory of 1732	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe	svchost.exe
PID 1740 wrote to memory of 1732	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe	svchost.exe
PID 1740 wrote to memory of 1732	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe	svchost.exe
PID 1740 wrote to memory of 1732	1740	168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe
"C:\Users\Admin\AppData\Local\Temp\168b183e4e964395b70b7f540673f85026455458a1adff54e40d56c77b49ad92.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1559664f51fc8ee984f0eac5fe9c9977

SHA1
39835cacb7282c9f2eb5803977651425a05e5e19

SHA256
1c4ce47fe1054ab2c2231a49168a82b4d8f9a59d59d4eda8bd9877f11e74775a

SHA512
721a0a2713632b620c4edc40b5c72e21b3adb42b8f468b26b2fe3dc4b81fc921bc498015d511ffe02d2d0821a74432a0a8014b44fdb366ef7cf24ae418b75c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bff95497f9b3f452889e25a1bb205d49

SHA1
dfc4c4880e28085a1fdbc05e854d1639abd18285

SHA256
ae12566fb7e336e71deef2a9463be0621813bf96402039b138e61da788304af2

SHA512
82705e2ce13f730404ae38fccd13ff3347e4416276fa5bf160be44878656acd7fddfc5e49575e4eb254d5a0ac246f3554cec2a076035649aa02693be33340e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Cab3D91.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Tar3E02.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
211KB

MD5
8149ce62d48b4075d763ffe0077b56a2

SHA1
bc431382eba090af5cc2f8ec6d816edb9c73f042

SHA256
2cbffc88c3b442aeb791042994ec3e061cb9c25f289317f9bef7b1e05c4e64bc

SHA512
314127514621f702078fd0d7c077adf9ec11fc037be1e33eff80c38bc94e953004a9c567531030f888fea5896e3430af628ef739f40b98635bba924c8c39f1ae

Download Submit
memory/1732-68-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-85-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-31-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1732-29-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1732-27-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1732-23-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1732-35-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-38-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-39-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-42-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-47-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-57-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-80-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-64-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-84-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-83-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-82-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-81-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-79-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-77-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-76-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-75-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-74-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-73-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-72-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-71-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-70-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-69-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-65-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-67-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-66-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-20-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1732-34-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1732-63-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-62-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-61-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-60-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-59-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-58-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-56-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-55-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-78-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-54-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-53-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-52-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-51-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-50-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-49-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-48-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-41-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-46-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-45-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-44-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-43-0x00000000027E0000-0x0000000002897000-memory.dmp

Filesize
732KB

Download
memory/1732-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1732-33-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1732-25-0x0000000002630000-0x00000000026DA000-memory.dmp

Filesize
680KB

Download
memory/1740-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1740-21-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1740-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1740-1-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/1740-19-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/1740-18-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download